1. Field of Invention
The invention relates generally to data network communications and more particularly to a technique for validating transmission control protocol (TCP) communication between a client requesting resources and a server providing requested resources to protect the specified server from a distributed denial of service (DDoS) attack.
2. Description of Related Art
In a traditional TCP 3-way handshake, the implementation of which is apparent to one of ordinary skill in the art, an initial packet with a TCP bit flag SYN is generated from a client to a server. A plurality of intermediary routing and switching devices assure the delivery of the data packet from the client to the server, and vice versa. The server generates a response packet with the TCP bit flags SYN and ACK set. The client then responds with a TCP ACK packet, establishing a completed TCP session.
Upon generation of the initial TCP SYN packet from the client, the server reserves and allocates a predetermined quantity of system resources, including processor, ram, and/or disk for the facilitation of this connection. The server maintains these resources for a predetermined period of time often as long as several minutes. As computer systems have limited resources, an attacker can take advantage of this situation by generating a large quantity of SYN packets to the server, exhausting all system resources. The server will then become unresponsive to legitimate client requests, thus denying service to legitimate clients. This is one embodiment of a “denial of service” attack. Generally, prior art systems “detect” denial of service conditions, but fail to actually mitigate this undesirable situation.
United States Patent Application Publication No. 2003/0226032 to Robert, the disclosure of which is incorporated by reference herein in its entirety, describes a mechanism for detecting denial of service attacks. A probabilistically determined portion of input packets of a connection are processed using a hash function to determine whether the packets belong to the flow initiated by a TCP SYN packet. A drawback of Robert is that it is dependent on the server handling traffic in advance of the flow detection. Once the server has been overloaded, the denial of service condition has been met.
U.S. Pat. No. 7,921,462 to Rooney et al. (“Rooney”), the disclosure of which is incorporated by reference herein in its entirety, describes a technique for detecting DDoS attacks within the Internet by sampling packets at a point or points in Internet backbone connections to determine a packet metric parameter. The packet metric parameter which might comprise the volume of packets received is analyzed over selected time intervals with respect to specified geographical locations in which the hosts transmitting the packets are located. The expected behavior can be employed to identify traffic distortions revealing a DDoS attack. A drawback of Rooney is that it is unable to prevent a “syn flood” attack as no single packet will meet the thresholds set.
United States Patent Application Publication No. 2002/0120853 to Tyree, the disclosure of which is incorporated by reference herein in its entirety, describes scripted distributed denial-of-service (DDoS) attack discrimination using turing, i.e., intelligence, tests. A drawback of Tyree is that it cannot be automatically implemented on systems where background communication is necessary, such as simple mail transport protocol (SMTP), and is not plausible in today's Internet topology. Moreover, turing tests are cumbersome for users.
United States Patent Application Publication No. 2004/0008681 to Govindaraj an et al. (“Govindaraj an”), the disclosure of which is incorporated by reference herein in its entirety, describes a technique for delaying allocation of resources until after the TCP three-way handshake is successfully completed. A drawback of Govindarajan is that implementation in an apparatus is complicated and performance scalability is difficult to achieve in asymmetric networks.
United States Patent Application Publication No. 2002/0103916 to Chen et al. (“Chen”), the disclosure of which is incorporated by reference herein in its entirety, describes architecture for thwarting denial of service attacks on a victim data center. The system includes a first plurality of monitors that monitor network traffic flow through the network. A central controller receives data from the plurality of monitors, over a hardened, redundant network. A drawback of Chen is that it cannot protect against “spoofed” attacks.